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Inspired by previous work of Shoup, Lenstra-De Smit and 
Couveignes-Lercier, we give fast algorithms to compute in 
(the first levels of) the ^-adic closure of a finite field. In 
many cases, our algorithms have quasi-linear complexity. 

Categories and Subject Descriptors 

F.2.1 [Theory of computation]: Analysis of algorithms 
and problem complexity — Computations in finite fields; G.4 
[Mathematics of computing]: Mathematical software 

General Terms 

Algorithms, Theory 

Keywords 

Finite fields, irreducible polynomials, extension towers, al- 
gebraic tori, Pell's equation, elliptic curves. 

1. INTRODUCTION 

Building arbitrary finite extensions of finite fields is a fun- 
damental task in any computer algebra system. For this, an 
especially powerful system is the "compatibly embedded fi- 
nite fields" implemented in Magma 2,3, capable of building 
extensions of any finite field and keeping track of the em- 
beddings between the fields. 

The system described in 3] uses linear algebra to describe 
the embeddings of finite fields. From a complexity point of 
view, this is far from optimal: one may hope to compute and 
apply the morphisms in quasi- linear time in the degree of the 
extension, but this is usually out of reach of linear algebra 
techniques. Even worse, the quadratic memory requirements 
make the system unsuitable for embeddings of large degree 
extensions. Although the Magma core has evolved since the 
publication of the paper, experiments in Section f5] show that 
embeddings of large extension fields are still out of reach. 

In this paper, we discuss an approach based on polyno- 
mial arithmetic, rather than linear algebra, with much better 
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performance. We consider here one aspect of the question, 
^-adic towers; we expect that this will play an important 
role towards a complete solution. 

Let q be a power of a prime p, let ¥ q be the finite field 
with q elements and let I be a prime. Our main interest in 
this paper is on the algorithmic aspects of the l-adic closure 
of F q , which is defined as follows. Fix arbitrary embeddings 

F 9 C W q t C ¥ q( 2 C • ■ • ; 

then, the i"-adic closure of Fq is the infinite field defined as 



F. 



IK 



We also call an l-adic tower the sequence of extensions 
fn particular, they allow us to build the alge- 



F 



(1) 



where the tensor products are over ¥ q ; we will briefly men- 
tion below the algorithmic counterpart of this equality. 

We present here algorithms that allow us to "compute" in 
the first levels of l?-adic towers (in a sense defined hereafter) ; 
at level i, our goal is to be able to perform all basic opera- 
tions in quasi-linear time in the extension degree C . We do 
not discuss the representation of the base field F 9 , and we 



count operations {+, 



-} in Fq at unit cost. 



The techniques we use are inspired by those in [5], which 
dealt with the Artin-Schreier case I = p (see also [7], which 
reused these ideas in the case 1 = 2): we construct families 
of irreducible polynomials with special properties, then give 
algorithms that exploit the special form of those polynomials 
to apply the embeddings. Because they are treated in the 
references [6l[7], we exclude the cases t = p and 1 = 2. 

The field F t t will be represented as ¥ q [Xi]/{Qi), for some 
irreducible polynomial Qi 6 F 9 LY;]. Letting be the residue 
class of Xi modulo Qi endows F t i with the monomial basis 



U< 



(1, Xi, Xi 



(2) 



Let M : N -¥ N be such that polynomials in ¥ q [X] of de- 
gree less than n can be multiplied in M(n) operations in F ? , 
under the assumptions of 30, Ch. 8.3]; using FFT multipli- 
cation, one can take M(n) £ 0{n log(n) log log(n)). Then, 
multiplications and inversions in ¥ q [Xi]/{Qi) can be done 
in respectively 0(M(£ i )) and 0(M(£ i )\og(£ i )) operations in 
F 9 [301 Ch. 9-11]. This is almost optimal, as both results are 
quasi- linear in [F e i : ¥ q ] = t. 



Condition 



Initialization 



Lift, push 



/ = 1 mod £ 
= -1 mod I 

4£ < g 1 / 4 
4£ < g 1 / 4 



Ol{l\oi 



O e (log(g)) 
O e (log(g)) 
O e (£ 2 + M{£) log(g)) 
O e ~(^log 5 (q)+<? 3 ) (bit) 
f(q)) (bit) + O e (M(£)^log(q)) 

Table 1: Summary of results 



0{C) 
O(t) 

0(M{t +1 )M(£)log(t) 2 ) 
O e {£ 2 + M(£) \og(£q) + M(t) log(£ 1 )) 
O e (log(g) + M(r)log(r)) 



0{t) 

o(M(r)io g (r)) 

0(M(r +1 )M(^) log(^)) 

o(M(r)io g (^)) 
o(M(r)io g (r)) 



Computing embeddings requires more work. For this prob- 
lem, it is enough consider a pair of consecutive levels in the 
tower, as any other embedding can be done by applying re- 
peatedly this elementary operation. Following again [6], we 
introduce two slightly more general operations, lift and push. 

To motivate them, remark that for i > 2, W^i has two 
natural bases as a vector space over F 9 . The first one is 
via the monomial basis Ui seen above, corresponding to the 
univariate model ¥ q [Xi]/ (Qi) ■ The second one amounts to 
seeing F t % as a degree £ extension of ¥^ C i-i , that is, as 

¥ q [Xi-i, Xi]/ (Qi-i(Xi-i),Ti(X i - 1 , Xi)}, (3) 

for some polynomial T monic of degree £inXi, and of degree 
less than t~ l in The corresponding basis is bivariate 

and involves Xi-i and Xi\ 

B i = (l,...,xf_- 1 1 - l ,...,*f- 1 ,...,xf_- 1 1 - 1 xJ- 1 ). (4) 

Lifting corresponds to the change of basis from Bi to Ui; 
pushing is the inverse transformation. 

Lift and push allow us to perform embeddings as a par- 
ticular case, but they are also the key to many further oper- 
ations. We do not give details here, but we refer the reader 
to [6] [16] for examples such as the computation of relative 
traces, norms or characteristic polynomials, and applications 
to solving Artin-Schreier or quadratic equations, given in [B] 
and [7] for respectively £ = p and 1 = 1. 

Table Q] summarizes our main results. Under various as- 
sumptions, it gives costs (counted in terms of operations in 
W q ) for initializing the construction, building the polynomi- 
als Qi and T from Eq.@, and performing lift and push. 
O e ( ) indicates probabilistic algorithms with expected run- 
ning time, and Ol{ ) indicates the additional omission of 
logarithmic factors. Two entries mention bit complexity, as 
they use an elliptic curve point counting algorithm. 

In all cases, our results are close to being linear-time in t , 
up to sometimes the loss of a factor polynomial in I. Except 
for the (very simple) case where q — 1 mod £, these results 
are new, to the best of our knowledge. To otbain them, 
we use two constructions: the first one (Section [2]) uses cy- 
clotomy and descent algorithms; the second one (Section [3j 
relies on the construction of a sequence of fibers of isogenies 
between algebraic groups. 

These constructions are inspired by previous work due to 
respectively Shoup [25] [261 and Lenstra / De Smit [T5], and 
Couveignes / Lercier [4]. We briefly discuss them here and 
give more details in the further sections. 

Lenstra and De Smit [TS] address a question similar to 
ours, the construction of the ^-adic closure of ¥ q (and of its 
algebraic closure), with the purpose of standardizing it. The 
resulting algorithms run in polynomial time, but (implicitly) 
rely on linear algebra and multiplication tables, so quasi- 
linear time is not directly reachable. References [251 1261 [4] 



discuss a related problem, the construction of irreducible 
polynomials over F 9 ; the question of computing embeddings 
is not considered. Note that the results in [4] are quasi- 
linear, they rely however on an algorithm by Kedlaya and 
Umans Q3] that works only in a boolean model, and as a 
result share this specificity. 

To conclude the introduction, let us mention a few appli- 
cations of our results. A variety of computations in number 
theory and algebraic geometry require constructing new ex- 
tension fields and moving elements from one to the other. 
As it turns out, in many cases, the €-adic constructions con- 
sidered here are sufficient: two examples are [5J[5], both in 
relation to torsion subgroups of Jacobians of curves. 

The main question remains of course the cost of comput- 
ing in arbitrary extensions. As showed by Eq. {T} , this boils 
down to the study of £-adic towers, as done in this paper, 
together with algorithms for computing in composita. Refer- 
ences 25 26 4 deal with related questions for the problem 
of computing irreducible polynomials; a natural follow-up 
to the present work is to study the cost of embeddings and 
similar changes of bases in this more general context. 

2. QUASI-CYCLOTOMIC TOWERS 

In this section, we discuss a construction of the ^-adic 
tower over ¥ q inspired by previous work of Shoup [251 126| , 
Lenstra-De Smit Q1T] and Couveignes-Lercier [2]. The results 
of this section establish rows 1 and 3 of Table [T] 

The construction starts by building an extension Ko = 
¥ q [Yo]/{Po), such that the residue class yo of Yo is a non 
£-adic residue in Ko (we discuss this in more detail in the 
first subsection); we let r be the degree of Po- 

By [23 Th. VI.9.1], for i > 1, the polynomial Yf - yo G 
Ko[Vi] is irreducible, so that K; = Ko[Yi]/(I^ — yo) is a field 
with q r elements. If we let yt be the residue class of Yi in 
Kj, these fields are naturally embedded in one another by 
the isomorphism K;+i ~ K; [Yi+i]/(Y i+1 — yi); in particular, 
the relation = yi holds. 

In order to build F e i , we apply a descent process, for 
which we follow an idea of Shoup's. For i > 0, let Xi be the 
trace of yi over a subfield of index r: 

xi^yf- (5) 

3=0 

Then, [25] Th. 2.1] proves that ¥ q (x t ) = ¥ ei (see Figured]). 
In particular, the minimal polynomials of sci, x%, . . . over F g 
are the irreducible polynomials Qi we are interested in. 

We will show here how to compute these polynomials, the 
polynomials Ti introduced in Eq. © and how to perform 
lift and push. To this effect, we will define more general 
minimal polynomials: for < j < i, we will let Qij £ 
¥ q (xj)[Xi] be the minimal polynomial of Xi over ¥ q (xj), so 



K 2 =Ki(y 2 ) 



io(yi) = Fgfca) 



/ £ r \ / £ 
K =F 9 (y ) F,«=F e (a!i) 



Figure 1: The £-adic towers over F 9 and Ko. 



that Qi.j has degree t 3 , with in particular Qi,o = Qi and 
Qi,i-i = Tj{xj-\, Xj). 

In Subsections 12.21 and 12.31 we discuss favorable cases, 
where I divides respectively q — 1 and q + 1. The first case 
is folklore; it yields the fastest and simplest algorithms; our 
results for the second case are close to, but distinct from, 
previous work of Gurak [10] - we will revisit these cases in 
Section [3] and account for their naming convention. Our 
results in the general case (Subsection I2.4|l are slower, but 
still quasi-linear in t , up to a factor polynomial in £. 

Shoup used this setup to compute Qi in time quadratic 
in t [261 Th. 11]. It is noted there that using modular com- 
position techniques |30l Ch. 12], this behavior could be im- 
proved to get a subquadratic exponent in t, up to an extra 
cost polynomial in I. For I = 3 (where we are in one the first 
two cases), Couveignes and Lercier make a similar remark 
in [H § 2-4]; using a result by Kedlaya and Umans [13] for 
modular composition, they derive for any e > a cost of 
3 l( - 1+£: '0(log(g)) bit operations, up to polynomial terms in 
log log (q). 

In this section, and in the rest of this paper, if L/K is a 
field extension, we write Ttl/k, ^l/k an d Gal^/jc for the 
trace, norm and Galois group of the extension. Recall also 
that the notation O e { ) indicates an expected running time. 

2.1 Finding P 

To determine Po, we compute the £-ih cyclotomic polyno- 
mial $ t G Z[X ] and factor it over ¥ q [X ]: by [26] Th. 9], 
this takes O e (M(£) \og(£q)) operations in F 9 . 

Over W q [Xo] , &e splits into irreducible factors of the same 
degree r, where r is the order of q in Z/£Z (so r divides £— 1); 
let Fq be one of these factors. By construction, there exist 
non ^-adic residues in F 9 LYo]/(Po). Once such a non-residue 
yo is found, we simply let Po be its minimal polynomial over 
F 9 (which still has degree r); given yo, computing Po takes 
0(r 2 ) operations in F 9 . 

Following [251 1261 [4], we pick yo at random: we expect 
to find a non-residue after O(l) trials; by [261 Lemma 15], 
each takes O e (M(£) log(r) + M(r) log(^) log(r) + M(r) log(q)) 
operations in ¥ q . An alternative due to Lenstra and De Smit 
is to take iterated £-th roots of Xo mod Po until we find a 
non-residue: this idea is helpful in making the construction 
canonical, but more costly, so we do not consider it. 



We consider here the simplest case, where £ divides q — 1; 
the (classical) facts below give the first row of Table [1] 

In this case, splits into linear factors over F 9 (so r = 1). 
The polynomial Po is of the form Yo — yo, where yo is a non 
£-adic residue in F 9 ; since we can bypass the factorization of 
<3>£, the cost of initialization is O e (log(g)) operations in F 9 . 
Besides, no descent is required: for i > 0, we have Kj = F 4 < 
and Xi = yv, the families of polynomials we obtain are 



= Xi -y and T, = X t - Xi-i. 



(6) 



Lifting amounts to taking F = Ylo<j<ei+ 1 fj x i+i an( ^ rewrit- 
ing it as a bivariate polynomial in Xi,Xi+i, using the rule 

j 7 div t i mod I 

Pushing does the converse operation, using the rule 

e / et+f 

Both use only exponent arithmetic, and no operation in ¥ q . 

2.3 r 2 -type extensions 

Next, we consider the case where £ divides q+1, so that 
splits into quadratic factors over ¥ q (that is, r = 2). We also 
require that yo has norm 1 over F 9 (see below for a discus- 
sion) ; we can then deduce an expression for the polynomials 

Q«eF t fe)t*]. 



Proposition 1. For 1 < j < i, 



} id {Xi) = Y l +Y- 



Proof. Since N 



K /F, 



satisfies 
mod Y 2 - XiY + I. (7) 



(yo) = 1, NKi/w g (xi)(yi) is an t-th 



root of unity. But £ does not divide q — 1, so 1 is the only 
such root in ¥ q , and by induction on i it also is the only root 
in ¥q(xi); hence, the minimal polynomial of yi over ¥ q (xi) is 
Y 2 — XiYi + 1. By composition, it follows that the minimal 



polynomial of yi over ¥ q (xj ) is Y t 



■XjYf +1. Taking 



2.2 Ti-type extensions 



a resultant to eliminate Yi between these two polynomials 
gives the following relation between Xj and Xi\ 

Qi^iXif = Res Yi {Y 2ii ~ 3 - x^ 3 + 1, Y 2 - X,Y + 1). 
By direct calculation, this is equivalent to Eq. □ 

This proposition would allow us to compute Qij in time 
0(M(£ l ~ 3 )) by repeated squaring. In Section 13.11 we use 
arithmetic geometry to give a better algorithm, and to ef- 
ficiently find a yo satisfying the hypotheses; we leave the 
algorithms for lift and push to Section [4] 

2.4 The general case 

Finally, we discuss the general situation, where make no 
assumption on the behavior of <&t in F 9 [X] . This completes 
the third row of Table [1] using the bound r £ 0(£). 

Because r = [Ko : ¥ q ] divides £ — 1, it is coprime with 
£. Thus, Qi remains the minimal polynomial of Xi over Ko, 
and more generally Qij remains the minimal polynomial of 
Xi over Kj ; this will allow us to replace F 9 by Ko as our base 
field. We will measure all costs by counting operations in 
Ko, and we will deduce the cost over F 9 by adding a factor 
0(M(r) log(r)) to account for the cost of arithmetic in Ko. 

For i > 0, since Kj = Ko[Yi]/(Yi — yo), we represent the 
elements of K; on the basis {yf | < e < £ 1 }; for instance, 



Xi is written on this basis as 

X ,=Y.if 3 ™ dP yf 3dWP - (8) 

3=0 

Our strategy is to convert between two univariate bases of 
Ki, {yf | < e < ^} and {aif | < e < t}. In other words, 
we show how to apply the isomorphism 

: K, = K [Y]/{Yf - y ) -S- Ko[^i]/(Qi,o> 

and its inverse; we will compute the required polynomials 
Qi t o and Qi^-\ as a byproduct. In a second time, we will 
use \Pi to perform push and lift between the monomial basis 
in Xi and the bivariate basis in (xi-i,Xi). 

We will factor $i into elementary isomorphisms 

: Kj[Xi]/(Q ilf ) K f _i[Xi]/(Q iJ _ 1 ), ./ ' 1- 

To start the process, with j = i, we let = Xi — Xi £ 
K;[Xj], so that Ki = Kj[Xj]/(<5j j i). Take nowj < i and sup- 
pose that Qij is known. We are going to factor ^ij further 
as <£"j o cf>£ j o by introducing first the isomorphism 

<Pj ■ Kj -> K 3 --i[Yj]/ {Yf - yj-i). 

The forward direction is a push from the monomial basis 
in yj to the bivariate basis in (j/j-i,2/j) and the inverse is 
a lift; none of them involves any arithmetic operation (see 
Subsection 12. 2p . Then, we deduce the isomorphism 

* 4J - : -> ImK,!^ - Vj-i,Q*j)> 

where Q*j is obtained by applying ^ to all coefficients of 
Qij- Since &ij consists in a coefficient- wise application of 
y>j, applying it or its inverse costs no arithmetic operations. 

Next, changing the order of Yj and Xi, we deduce that 
there exists Sij in Kj_i[X,] and an isomorphism 

$' iiS : Kj-i[Yj,Xi]/{Yj - y S -i,Qtj) -> 

K^lXi^/iQ^Yj-Sij), 

where deg(Q^-,X i ) = t~ ] and deg(Q l , J _ 1 , Xi) = t~ j+1 . 

Lemma 2. From Q*j, we can compute Q%,j-i and Sij in 
0(M(£ l+1 ) log(^ 1 )) operations in Ko. Once f/iis is done, uie 
can apply <f> 4 j or its inverse in 0(M(£ t+1 )) operations in Ko. 

Proof. We obtain Qi,j-i and Sij from the resultant and 
degree- 1 subresultant of Yf — J/j— l and Q*j with respect to 
Yj, computed over the polynomial ring Kj_i[Xj]. This is 
done by the algorithms of [22l[20], using 0(M(t +1 )log(£)) 
operations in Ko (for this analysis, and all others in this 
proof, we assume that we use Kronecker's substitution for 
multiplications). To obtain Sij, we invert the leading co- 
efficient of the degree- 1 subresultant modulo the resultant 
Qij-i; this takes 0(M(t) \og(t)) operations in K . 

Applying &ij amounts to taking a polynomial A(Yj,Xi) 
reduced modulo (Yj — yj-i,Q*j) and reducing it modulo 
{Qi,j-i,Yj — Sij). This is done by computing A(Sij,Xi), 
doing all operations modulo Qij-i. Using Horner's scheme, 
this takes 0(1) operations (+, x) in Kj-i[Xi]/(Qi,j-i), so 
the complexity claim follows. 

Conversely, we start from A(Xi) reduced modulo Qij-i; 
we have to reduce it modulo (Yf — yj-i, Qtj}- This is done 
using the fast Euclidean division algorithm with coefficients 
in Kj_iK]/(y/- % _i) for 0(M(r +1 )) operations in K„. □ 



The last isomorphism "!>"_, is trivial: 

: Kj^X^KQ^Yj - Sij) -»• K,^]/ (Q^) 

forgets the variable Yj; it requires no arithmetic operation. 

Taking j — i, . . . , 1 allows us to compute Qi^-i and Q^o 
for 0{i 2 M(t +1 )\og(£)) operations in Ko. Composing the 
maps ^i,j, we deduce further that we can apply or its 
inverse for 0(iM(t +1 )) operations in Ko. 

We claim that we can then perform push and lift between 
the monomial basis in Xi and the bivariate basis in (xi-i,Xi) 
for the same cost. Let us for instance explain how to lift. 

We start from A written on the bivariate basis in (xj-i, Xi); 
that is, A is in K [AVi , Xi]/(Qi-\, Ti) . Apply to its 
coefficients in X®, . . . , x l ~ x , to rewrite A as an element of 

KoIFi-i.Xi]/^! 1 -yi-2,Ti) =K i - 1 [X i ]/(Q i ,i-i). 

Applying gives us the image of A in Ki, and applying 
^i finally brings it to K [Xi]/(Qi). 

3. TOWERS FROM IRREDUCIBLE FIBERS 

In this section we discuss another construction of the £- 
adic tower based on work of Couveignes and Lercier [4 . The 
results of this section are summarized in rows 2, 4 and 5 of 
Table [T] This construction is not unrelated to the ones of 
the previous section, and indeed we will start by showing 
how those of Sections l2.2l and l2.3l reduce to it. 

Here is the bottom line of Couveignes' and Lercier's idea. 
Let G, G' be integral algebraic Fq-groups of the same di- 
mension and let <j> : G' — > G be a surjective, separable al- 
gebraic group morphism. Let £ be the degree of <j>; then, 
the set of points x G G with fiber G' x of cardinality I is 
a nonempty open subset U C G. If the induced homomor- 
phism G'(W q ) — > G(¥ q ) of groups is not surjective then there 
are points of G(¥ q ) with fibers lying in algebraic extensions 
of F q . Assume that we are able to choose <f> so that we can 
find one of these points contained in U, with an irreducible 
fiber, and apply a linear projection to this fiber (e.g., onto 
an axis). The resulting polynomial is irreducible of degree 
dividing £ (and expectedly equal to £) . If we can repeat the 
construction with a new map <f)' : G" — > G' , and so on, the 
sequence of extensions makes an ^-adic tower over F 9 . 

3.1 Towers from algebraic tori 

In [4] , Couveignes and Lercier explain how their idea yields 
the tower of Section [2.21 Consider the multiplicative group 
G m : this is an algebraic group of dimension one, and G m (F 9 ) 
has cardinality q — 1. The ^-th power map defined by <f) '■ 
X n> X is a degree £ algebraic endomorphism of G m , sur- 
jective over the algebraic closure. 

Suppose that £ divides q — 1, and let n be a non ^-adic 
residue in ¥ q (n plays here the same role as j/o in Section [2}. 

For any i > 0, the fiber (f>~ l (ri) is defined by X — rj: we 
recover the construction of Subsection 12.21 

More generally, let ¥ q n /¥ q be a finite extension and define 
its maximal torus as 

T n = {a S F,n | N ¥qrl/¥qrn (a) = 1 for any m\n}. (9) 

T n is a multiplicative subgroup of FJ, and, by Weil descent, 
an algebraic group over ¥ q . It has dimension ip(n), cardi- 
nality "^(i?), and is isomorphic to Gm over F 9 [24ll3l| . 



We now detail how the construction of Section [23] can be 
obtained by considering the torus T 2 ; this will allow us to 
start completing the second row in Table [T] 

Lemma 3. Let A £ ¥ q be a quadratic non-residue if p ^ 
2, or such that Tr F(j / F2 (A) = 1 otherwise. Let S — y/~K or 
S 2 + 5 — A accordingly. The maximal torus T 2 of ¥ q (5) /¥ q 
is isomorphic to the Pell conic 



C 



Ay 2 



x 2 A + xy + y 2 = l ifp = 2. 



(10) 



Multiplication in T 2 induces a group law on C . The neutral 
element is (2, 0) if p 7^ 2, or (0, 1) if p — 2. The sum of two 
points P = (xi,yi) and Q — (3:2,2/2) is defined by 



/ x 1 x 2 + Ay 1 y 2 x 1 y 2 +x 2 y 1 



P(BQ 



ifp^l, 



V 2 ' 2 

[ (xia;2 + x\y 2 + x 2 y\, x\x 2 A + 2/12/2) if p = 2. 

Proof. The isomorphism follows by Weil descent with 
respect to the basis (1/2, 8/2) if p 7^ 2, or (S, 1) if p — 2. In- 
deed, by virtue of Eq. (SJ, an element (x,y) of ¥ q (S) belongs 
to T 2 if and only if its norm over ¥ q is 1. 

Let a be the generator of Galp „(«)/f „• F° r P — 2, clearly 
5 a — —5. For p 7^ 2, by Artin-Schreier theory, Trf „(«)/f „(<5) = 
Tr Fq/F2 (A) = 1, hence <T = 1 + 5. In both cases, Eq. JTDJ 
follows. The group law is obtained by direct calculation. □ 

Pell conies are a classic topic in number theory 18 and 
computer science, with applications to primality proving, 
factorization [171 111] and cryptography [23| . 

As customary, we denote by [n](x,y) the n-th scalar mul- 
tiple of a point (x,y). 

Lemma 4. If (n,p) = 1, then [n] is a separable endomor- 
phism of C of degree n, given by the rational maps 



[n](x,y) 



[P n (x),yR n (x)) 



ifp £ 2, 



(11) 



(P n (x),yR n (x) + R n -i(x)) ifp = 2. 
where P n and R n are defined by the initial values 
P = 2, A = X, 
Ro = 0, Ri = 1, 

and by the same recurrence U n +i = Xu„ — u n -i- 

Proof. We know that C = G m , thus C[n] = TL/nL and 
[n] is separable of degree n. Eq. (|ll[l is shown by induction 
using Eq. (|10p and the group law. □ 

Theorem 5. Let rj G ¥ q (5) be a non i-adic residue in 
T 2 , and let P = (a,/3) be tts image in C/¥ q . For any i > 0, 
the polynomials P t i — a are irreducible. Their roots are the 
abscissas of the images in C '/¥ ql i of the t-th roots of rj. 

Proof. By [T51 Th. VI.9.1], the polynomial X e - ij is 
irreducible. Its roots correspond to the fiber [£']~ (P), and 
the Galois group of F^i /¥ q acts transitively on them. 

Two points of C have the same abscissa if and only if they 
are opposite. But n 7^ tj -1 , hence all the points in [t\^ 1 (P) 
have distinct abscissa. By Lemma [4] P t i — a vanishes pre- 
cisely on those abscissas and is thus irreducible. □ 

We can now apply our results to the computation of the 
polynomials Qi and Ti of Section 12.31 



Corollary 6. The polynomials Qij of Prop. Q] satisfy 

QiAXi) = P li -i(X i )-x j . 

Proof. We have already shown that N Kj / ¥q ^. ) (t/j ) = 1 
for any j, thus yj is a non ^-adic residue in T 2 /¥ q (xj). In- 
dependently of the characteristic and of the element A £ 
¥ q (xj) chosen, the abscissa of the image of yj in C/¥ q (xj) 
is Tr Kj / Vq (3. ) yj — Xj. The statement follows from the pre- 
vious theorem. □ 

Corollary 7. The polynomials Qij can be computed us- 
ing 0(t~ r ) operations. 

Proof. From the previous corollary, it is enough to com- 
pute P n using 0(n) operations. We write P n = J^. c n ,iX n ~ l , 
from Lemma [4] we deduce that 

Cn,i = Cn-l,i — Cn-2,i-2. (12) 

By induction, it is immediate that c n ,i ~ for i odd, and 
that signs alternate for i even, so we remove the odd co- 
efficients and take absolute values. The new coefficients 
bn,fe = |c„ +fe ,2fc| satisfy the relation 

b n ,k = &n-l,fe + &n— 1,*— 1, 

which is the same as Pascal's relation; we actually obtain 
the (1,2)-Pascal triangle, also called Lucas' triangle [T]. In 
the same way, we can prove that the even coefficients of R n 
are the entries of Pascal's triangle with alternating signs. 

As is well-known, the coefficients of Lucas' triangle are 
related to those of Pascal's by 



b n ,, 



n — 1 i n + k j n 
k-lj = n \ k 



(13) 



Using Eq. (|13p and the sign alternation property, we get 
(n-2k)(n-2k-l) 



Ln,2fc + 2 
Cn,2k 



(n- k -!)(& + !) 



The last equation gives the formula to compute all the coef- 
ficients of P n using 0(n) operations in F p . Indeed, since we 
know the c nj 2fc's are the image mod p of integers, we com- 
pute them using multiplications and divisions in Q p with 
relative precision 1. □ 

We are left with the problem of finding the non ^-adic 
residue r\ to initialize the tower. As before, this will be done 
by random sampling and testing. 

Lemma 8. Let P — (a,/3) be a point on C. For any n, 
there is a formula to compute the abscissa of [±n]P, using 
O(logn) operations in ¥ q , and not involving j3. 

Proof. Observe that if n = 2, the abscissa of [±2]P is 
a 2 - 2 (for any p). Let P' = (a',/3'), and let 7 be the 
abscissa of P Q P' . By direct computation we find that 
the abscissa of P © P' is aa' — 7 (for any p); this formula 
is called a differential addition. Thus, O(l) operations are 
needed for a doubling or a differential addition. To compute 
the abscissa of [±n]P, we use the ladder algorithm of [21] . 
requiring O(logn) doublings and differential additions. □ 

Proposition 9. The abscissa of a point P e C/¥ q satis- 
fying the conditions of Theorem^ can be found using O e (log q) 
operations in ¥ q . 
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Figure 2: The isogeny cycle of Eo. 



Proof. We randomly select a £ F q and test that it be- 
longs to C. If p 7^ 2, this amounts to testing that a 2 — 4 
is a quadratic non-residue in F 9 , a task that can be accom- 
plished with O(logq) operations. If p = 2, by Artin-Schreier 
theory this is equivalent to Tr Fij / F2 (l/a: 2 ) = 1, which can be 
tested in 0(logq) operations in ¥ q . 

Then we check that P is a non ^-adic residue by verifying 
that [(q+l)/£]P is not the group identity. By Lemma[8] this 
computation requires 0(log q) operations. About half of the 
points of F 9 are quadratic non-residues, and about 1 — l/l of 
them are the abscissas of points with the required order, thus 
we expect to find the required element after O e (l) trials. □ 

It is natural to ask whether a similar construction could 
be applied to any £. If r is the order of q modulo £, the nat- 
ural object to look at is T r , but here we are faced with two 
problems. First, multiplication by £ is now a degree 
map, thus its fibers have too many points; instead, isoge- 
nics of degree £ should be considered. Second, it is an open 
question whether T T can be parameterized using ip(r) coor- 
dinates; but even assuming it can be, we are still faced with 
the computation of a univariate annihilating polynomial for 
a set embedded in a <p(r)-dimensional space, a problem not 
known to be feasible in quasi-linear time. Studying this gen- 
eralization is another natural follow-up to the present work. 

3.2 Towers from elliptic curves 

Since it seems hard to deal with higher dimensional alge- 
braic tori, it is interesting to look at other algebraic groups. 
Being one-dimensional, elliptic curves are good candidates. 
In this section, we quickly review Couveignes' and Lercier's 
construction, referring to [3] for details, and point out the 
modifications needed in order to build towers (as opposed 
to constructing irreducible polynomials). 

Let £ be a prime different from p and not dividing q — 1. 
Let _Eo be an elliptic curve whose cardinality is a multiple of 
£. By Hasse's bound, this is only possible if £ < q + 2^/q-\- 1. 
An isogeny is an algebraic group morphism between two 
elliptic curves that is surjective in the algebraic closure. It 
is said to be rational over ¥ q if it is invariant under the 
q-th. power map; such an isogeny exists if and only if the 
curves have the same number of points over ¥ q . An isogeny 
of degree n is separable if and only if n is prime to p, in 
which case its kernel contains exactly n points. Because of 
the assumptions on £, there exists an e > 1 such that, for 
any curve E isogenous to Eo, the F 9 -rational part of E[£] is 
cyclic of order £ e . 

Suppose for simplicity, that p / 2,3 and let Eo be ex- 
pressed as the locus 

E : y 2 = x s + ax + b, with a, b G ¥ q , (14) 

plus one point at infinity. We denote by Ho the unique 
subgroup of Eo /¥ q of order £, and by cf>o the unique isogeny 



whose kernel is Ho; we then label Ei the image curve of 4>o- 
We go on denoting by Hi the unique subgroup of Ei/¥ q of 
order £, and by <f)i : Ei Ei+\ the unique isogeny with 
kernel Hi. The construction is depicted in Figure [2] 

Lemma 10. Let Eo, E\, . . . be defined as above, there ex- 
ists n £ 0(y/q\og(q)) such that E„ is isomorphic to Eo. 

Proof. It is shown in [4] § 4] that the isogenies cf>, are 
horizontal in the sense of Q3], hence they necessarily form 
a cycle. Let t be the trace of -Eo, the length of the cycle is 
bounded by the class number of Q[X]/(X 2 — tX — q), thus 
by Minkowski's bound it is in 0(y/q\og(q)). □ 

In what follows, the index i is to be understood modulo 
the length of the cycle. This is a slight abuse, because E n 
is isomorphic but not equal to Eo, but it does not hide any 
theoretical or computational difficulty. 

Under the former assumptions, it is proved in [U § 4] 
that if P is a point of Ei of order divisible by £ e , if ip = 
4>i-i o <f>i-2 o • ■ ■ o (f)j, then the fiber tp~ 1 (P) is irreducible 
and has cardinality t~ 3 . Knowing Ei, Velu's formulas [29] 
allow us to express the isogenies <j>i as rational fractions 



k ■ Ei 



EiJ, 



9i(x)' \gi{x) 



(15) 



where gi is the square polynomial of degree £—1 vanishing on 
the abscissas of the affine points of Hi, and fi is a polynomial 
of degree £. 

There is a subtle difference between our setting and Cou- 
veignes' and Lercier's. The goal of [4] is to compute an 
extension of degree t of ¥ q for a fixed i: this can be done by 
going forward i times, then taking the fiber of a point of Ei 
by the isogenies (j>i-i, . . . , 4>o- In our case, we are interested 
in building extensions of degree t incrementally, i.e. without 
any a priori bound on i. Thus, we have to walk backwards 
in the isogeny cycle: if 77 G ¥ q is the abscissa of a point of 
Eo of order £ e 7^ 2, we will use the following polynomials to 
define the ^-adic tower: 

T 1 = f- 1 (X 1 )- V g- 1 (X 1 ), 
Ti = f-i(Xi) - Xi- ig -i{Xi). 

The following theorem gives the time for building the 
tower; lift and push are detailed in the next section. 

Theorem 11. Suppose 4£ < q 1 ^, and under the 
above assumption. Initializing the £-adic tower requires 
Oe(^log 5 (q) + £ 3 ) bit operations; and building the i-th level 
requires O e (£ 2 + M(£)log(£q) + M(r) log(r)) operations in 
¥ q . 

PROOF. For the initialization, [U § 4.3] shows that if 4£ < 
q 1 ^, a curve Eo with the required number of points can 
be found in OZ{£ log 5 (q)) bit operations. We also need to 
compute the Ah modular polynomial $^ mod p; for this, we 
compute it over Z with 0(£ 3 ) bit operations [8], then reduce 
it modulo p. 

To build the i-th level, we first need to find the equation of 
E-i. For this, we evaluate &e at j(i?-i+i), using 0(£ 2 ) oper- 
ations. The resulting polynomial has two roots in F«j, namely 
j(E-i) and j(E- i+2 ). We factor it using O e (M(£) log(£q)) 
operations [301 Ch 14]. Once E-i is known, we find an £- 
torsion point using O e (logg) operations, and apply Velu's 



Algorithm 1 Compose 



Algorithm 2 Decompose 



Input: PG ¥ q [X,Y], f,g€ W q [Y], nG N 
1: if n = 1 then 
2: return P 
3: else 

4: m <- \n/2] 

5: Let P , Pi be such that P = P + A" n Pi 
6: Qo <— Compose(Po, /, g, m) 
7: Qi <s— Compose(Pi , f,g,n — m) 
8: Q-<- Qoff"- m + Qif m 
9: return Q 
10: end if 



formulas to compute 4>-i- We deduce the polynomial Ti, 
and Qi is obtained using 0(M(t)\og(t)) operations using 
Algorithm [T] given in the next section. □ 

Remark 1. Instead of computing the cycle step by step, 
we could compute it entirely during the initialization phase, 
by using Velu's formulas alone to compute Ex, E%, . . . until 
we hit Eq again. By doing so, we avoid using the modular 
polynomial <E>^ at each new level. By Lemma flOl this requires 
O e (£y/q\og(q)) operations. This is not asymptotically good 
in q, but for practical values of q and £ the cycle is often 
small and this approach works well. This is accounted for 
in the last row of Table [1] 

4. LIFTING AND PUSHING 

The previous constructions of ^-adic towers based on ir- 
reducible fibers share a common structure that allows us 
to treat lifting and pushing in a unified way. Renaming the 
variables (Jfj_i, X%) as (X, Y), the polynomials (Qi-i, Qi,Ti) 
as (R, S, T), the extension at level i is described as 

¥ q [Y]/(S(Y)) and ¥ q [X,Y]/(R(X),T(X,Y)), 

with R of degree t' 1 , S of degree t, and where T{X,Y) 
has the form f(Y) - Xg(Y), with deg(/) = I, deg(#) < I 
and gcd(/, g) = 1; possibly, g = 1. In all this section, /, g 
and their degree £ are fixed. 

Lift is the conversion from the bivariate basis associated 
to the right-hand side to the univariate basis associated to 
the left-hand side; push is the inverse. Using the special 
shape of the polynomial T, they reduce to composition and 
decomposition of rational functions, as we show next. These 
results fill in all missing entries in the lift / push column of 
Tabled] 

4.1 Lifting 

Let P be in ¥ g [X, Y] and n be in N, with deg(P, X) < n. 
We define P[f,g,n] as 

P[.f,g,n]=g n ~ 1 P^,Y^ e¥ q [X,Y]. 

K P = EHV MY)X\ then P[f,g,n] = S^ 1 "*- 
We first give an algorithm to compute this expression, then 
show how to relate it to lifting; when g = 1, Algorithm Q] 
reduces to a well known algorithm for polynomial composi- 
tion [13 Ex. 9.20]. 

Theorem 12. On input P,f,g,n, with deg(P, X) < n 
and deg(P, Y) < I, Algorithm^ computes Q — P[f,g,n] 
using 0(M(£n)\og(n)) operations in ¥ q . 



Input: QJ,g,h G F,[F], n G N 
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else 


1 

4 


m <r- \nl z 


5 


u±- l/g n ~™ mod f m 


6 


Qo <- Qu mod f m 


7 


Qi <- (Q - Qog n - m ) div r 


8 


Po Dccompose(Qo, /, g, h, m) 


9 


Pi <s— Decompose(Qi, f,g,h,n~m 


10 


return P + X m Pi 


11 


end if 



Proof. If n — 1, the theorem is obvious. Suppose n > 
1, then Po and Pi have degrees less than m and n — m 
respectively. By induction hypothesis, 

m— 1 

Qo = Po[f,g,m]= ^2 Vrfg m ~^~\ 

n — m — 1 

Q 1 =P 1 [f,g,n-m]= ^ P^/V"™" 1 " 1 . 
Hence, 

m — 1 n — m—1 

Q= }_^Pif 9 +2^ Pi+mf g =P[f 1 g,n\. 

i=0 i=0 

The only step that requires a computation is StepO costing 
0(M(£n)) operations in ¥ q . The recursion has depth log(n), 
hence the overall complexity is 0(M(£n) log(n)). □ 

Corollary 13. At level i, one can perform the lift oper- 
ation using 0(M(t)\og(t)) operations in ¥ q . 

Proof. We start from an element a written on the bivari- 
ate basis, that is, represented as A(X, Y) with deg(yl, X) < 
n = t' 1 and deg(A,Y) < I (note that £n = t). We 
compute the univariate polynomials A* = A[f, g, n] and 
7 = g n ' 1 using 0(M{t)\og{t)) operations in ¥ q ; then the 
lift of a is A* /7 modulo S. The inverse of 7 is computed 
using 0(M(£n) log(£n)) operations, and the multiplication 
adds an extra 0(M(£n)). □ 

4.2 Pushing 

We first deal with the inverse of the question dealt with 
in Theorem 1121 starting from Q G ¥ q [Y] , reconstruct P G 
¥ q [X, Y] such that Q = P[f, g, n]. When 5 = 1, Algorithm^] 
reduces to Algorithm 9.14 of 30 . 

Theorem 14. On input Q, f, g, h, n, with deg(Q) < £n 
and h = 1/g mod /, Algorithm^ computes a polynomial 
P G ¥ g [X,Y] such that deg(P,X) < n, deg(P, Y) < £ and 
Q = P[f, g, n] using 0(M(£n) log(n)) operations in ¥ q . 

Proof. We prove the theorem by induction. If n = 1, 
the statement is obvious, so let n > 1. The polynomials Qo 
and Qi verify Q = Qog n ~ m + Qif m ■ By construction, Qo 
has degree less than im. Since deg(</) < £, this implies that 
Qog n ~ m has degree less than £n; thus, Q\ has degree less 
than £{n — m). By induction, Po and Pi have degree less 



than m, resp. n — m, in X, and less than £ in Y, and 

771 — 1 

Qo = Po[f,g,m] = ^ Po,ifg m ~ 1 ~\ 

i=0 

n — m — 1 

Qi = Pi{f,g,n-m] = ^ pm/V" 1- "' -1- *- 

i=0 

Hence, P = Po + A m Pi has degree less than n in X and less 
than ^ in Y, and the following proves correctness: 

m— 1 n — 1 

P[f,g,n] = J2 Pw/V -1- ' + X>M- m / < 9 n - 1 - < 

i — i— m 

= -Po[/,ff,?ri]3 n ~ m + -Pi[/,5,n-m]/ m = Q. 

At Step [5] we do as follows: starting from h — 1/g mod /, 
we deduce l/g n ~ m mod / in time 0(M(£) log(n)) by binary 
powering mod /. We also compute g n ~ m in time 0(M(£n)) 
by binary powering, and we use Newton iteration (start- 
ing from l/g n ~ m mod /) to deduce l/g n ~ m mod f m in time 
0(M(£n)). All other steps cost 0(M(£n)); the recursion has 
depth log(n), so the total cost is 0(M(£n) log(n)). □ 

Corollary f5. At level i, one can perform the push op- 
eration using 0(M(t) log(t)) operations in¥ q . 

Proof. Given a represented by a univariate polynomial 
A(Y) of degree less than in, with n = P . We compute 
p™" 1 and A* = j" _1 A mod S using 0(M(t)) operations. 
Then, we compute h = 1/g mod / in time 0(M(£) log(£)) 
and apply Algorithm [2] to A* , f, g, h and n. The re- 
sult is a bivariate polynomial B, representing a on the bi- 
variate basis. The dominant phase is Algorithm [2] costing 
0(M{t) log(f)) operations in ¥ q . □ 

5. IMPLEMENTATION 

To demonstrate the interest of our constructions, we made 
a very basic implementation of the towers of Sections 13.11 
and 13.21 in Sage 28 a . It relies on Sage's default implemen- 
tation of quotient rings of F P [X], which itself uses NTL [27] 
for p = 2 and FLINT 12 for other primes. Towers based on 
elliptic curves are constructed using the algorithm described 
in Remark [T] The source code is available on De Feo's web 
page. 

We compare our implementation against three ways of 
constructing ^-adic towers in Magma: 

• We construct the levels from bottom to top using the 
default finite field constructor GF ( ) . For the parame- 
ters we were able to test, Magma uses tables of precom- 
puted Conway polynomials and automatically com- 
putes embeddings on creation Q 

• We construct the highest level of the tower first, then 
all the lower levels using the subo constructor. 

• We construct the levels from bottom to top using ran- 
dom dense polynomials, then we call the Embed () func- 
tion. We do not account for the time spent finding the 
irreducible polynomials. 

We ran tests on an Intel Xeon E5620 clocked at 2.4 GHz, 
using Sage 5.5 and Magma 2.18.12. The time required for 

1 See http : //magma. maths .usyd. edu. au/magma/releasenot< 




height 4 5 6 7 8 9 10 11 4 5 6 7 8 9 10 1 1 



Figure 3: Times for building 3-adic towers on top of 
F2 (left) and F5 (right), in Magma (first three lines) 
and using our code. 

the creation of 3-adic towers of increasing height is summa- 
rized in Figure [31 the timings of our algorithms are labeled 
T2 and Elliptic. Computations that took more than 4GB 
RAM were interrupted. 

Despite its simplicity, our code consistently outperforms 
Magma on creation time. On the other hand, lift and push 
operations take essentially no time in Magma, while in all 
the tests of Figure [3] we measured a running time almost 
perfectly linear for one push followed by one lift, taking ap- 
proximately 70/iS per coefficient (this is in the order of a 
second around level 10). Nevertheless, the large gain in cre- 
ation time makes the difference in lift and push tiny, and we 
are convinced that an optimized C implementation of the al- 
gorithms of Section U would match Magma's performances. 
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